Re: Unable to read PKCS#8 file generated using OpenSSL command line tool

Mon, 29 Sep 2008 19:20:26 -0700 

Bob,
I implemented the importing and exporting of private key from PKCS#8 
file using NSS API.
Here is what I found based on my testing :

Using Mozilla NSS API, I can only import/export private key in PKCS#8 
format with 
"PKCS12 V2 PBE With SHA1 And 3KEY Triple DES-cbc" encryption algorithm.
I would like to support other encryption algorithms supported by OpenSSL.

Using NSS-API, I can  import private key from OpenSSL generated PEM file 
(openssl rsa ...) with
DES-EDE3-CBC (-des3 option) encryption only.
But, I cannot read the private key from Mozilla NSS API generated PEM 
file using the OpenSSL API
because NSS uses 16 byte salt for encryption but the OpenSSL API expects 
8 byte salt.

--
Subrata


Robert Relyea wrote:
> Subrata Mazumdar wrote:
>> Nelson,
>> thanks very much for the clear answer - I did not realize that the 
>> Mozilla NSS does not support PKCS#8.
>> I also agree with you that PKCS#12 format is the right way to 
>> import/export keys.
>> The problem is that a  large number of OpenSSL based applications 
>> still use separate files
>> for private key and public key cert.  Actually, the problem is even 
>> worse - some of the applications
>> use unencrypted private key or OpenSSL specific encrypted PEM file  
>> (generated  using 'openssl rsa' command).
>> Any way, thanks once again.
>>   
> I believe Elio has some sample code that can import and export 
> *wrapped* PKCS #8 keys stored in Pem format. Unwrapped keys are not 
> considered safe. To support them you would need to manually 
> encrypt/decrypt the wrapped keys. NSS does not have an interface to 
> release unencrypted keys and applications are strongly discouraged 
> from using them. Even openssl prefers encrypted to unencrypted keys.
>
> bob
>> -- 
>> Subrata
>>
>> Nelson Bolyard wrote:
>>  
>>> Subrata Mazumdar wrote, On 2008-09-26 07:19:
>>>      
>>>> Hi,
>>>> I am having problem in reading PKCS#8 file generated by OpenSSL 
>>>> command line tool ("opnessl pkcs8").
>>>>           
>>> Officially, import and export of pkcs#8 files is not supported in NSS.
>>> You may or may not be able to get it to work, but because of the
>>> security concerns of PKCS#8 files, NSS does not support them.
>>>
>>> PKCS#12 is the supported way to import or export private keys and their
>>> related certificates. If you have a problem with PKCS#12, you can get
>>> support from the NSS team.
>>>
>>> PKCS#12 is the one universally implemented private key transport 
>>> method.
>>> OpenSSL also supports PKCS#12, and so does Windows.
>>>       
>> _______________________________________________
>> dev-tech-crypto mailing list
>> dev-tech-crypto@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-tech-crypto
>>   
>
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to